Congress is considering amending the Computer Fraud and Abuse Act (CFAA) to, among other things, make the statute technology-neutral, simplify its sentencing scheme, and expand the scope of—and enhance penalties for—certain offenses. One proposed amendment, however, would limit the scope of a controversial provision of the CFAA, which the US Department of Justice (DOJ) seeks to utilize in prosecuting website users who violate online “terms of service” or “terms of use” agreements. If the amendment, which has already been accepted by the Senate Judiciary Committee but is opposed by the DOJ, does not pass, the federal government will continue to enjoy unfettered authority to file criminal charges against any individual who breaches an online contract with the operator of a website such as Facebook, Match.com, or YouTube.

The CFAA, enacted in 1986 and amended most recently in 2008, seeks to protect classified information, financial records, and credit information stored on governmental and financial institution computers by punishing those who intentionally access protected computers without authorization—or “exceed authorized access”—and thereby commit fraud or obtain sensitive information. Although the CFAA is primarily a criminal statute, Congress passed an amendment in 1994 allowing for private causes of action where violations cause loss or damage.

Critics argue that the CFAA, in its current form, poses a substantial threat to civil liberties because its definition of “exceeds authorized access” criminalizes any violation of online terms of service. Former DOJ prosecutor and current law professor Orin Kerr, in testimony before the House Judiciary Subcommittee on Crime, Terrorism, and Homeland Security on November 15, 2011, explained that the provision “criminalizes conduct as innocuous as using a fake name on Facebook or lying about weight in an online dating profile.” Kerr argued that website operators already have a satisfactory remedy for users’ violations of their terms of service, namely, filing a lawsuit in state court under a breach of contract theory. The proposed amendment, he explained, narrows the CFAA to prevent the criminalization of contract breaches, while carving out a significant exception enabling prosecutions for federal employees who misuse sensitive government databases.

A DOJ official who also testified before the House subcommittee called upon Congress to reject the proposed amendment limiting the scope of the CFAA’s definition of “exceeds authorized access.” Richard Downing, the DOJ’s deputy chief for computer crime, acknowledged the controversy surrounding the provision, but rejected the idea that the DOJ would expend valuable resources on trivial violations of websites’ terms of service and argued that restricting the statute to disallow such prosecutions “would make it difficult or impossible to deter and address serious insider threats through prosecution.” In support of his argument, Downey cited the DOJ’s “routine” use of this tool in prosecutions of public and private sector employees who are given access to sensitive information subject to express access restrictions, but who then violate those restrictions to access the information for illicit purposes.

Lending some credibility to the concerns of DOJ overreach is the recent federal prosecution of a Missouri woman under the CFAA. United States v. Drew , No. CR 08-0582-GW (. CD Cal. 2009). The woman, Lori Drew, violated MySpace’s terms of service by fraudulently creating and using a MySpace profile to impersonate a teenage boy and bully a 13-year-old girl to the point that she committed suicide. Although a jury found Drew guilty of violating the CFAA, her conviction was later overturned when a federal district court judge ruled that a conviction under the CFAA based only on a defendant’s intentional violation of a website’s terms of service is unconstitutionally vague.

Website operators should be aware of the impact of their terms of service, and all subscribers to computer services and users of online databases should be aware of the CFAA’s broad scope. Arent Fox will continue to monitor these developments.

For more information, please contact the attorneys listed above.